US20060010486A1 - Network security active detecting system and method thereof - Google Patents

Network security active detecting system and method thereof Download PDF

Info

Publication number
US20060010486A1
US20060010486A1 US10/904,542 US90454204A US2006010486A1 US 20060010486 A1 US20060010486 A1 US 20060010486A1 US 90454204 A US90454204 A US 90454204A US 2006010486 A1 US2006010486 A1 US 2006010486A1
Authority
US
United States
Prior art keywords
networking
security
client end
network
active detecting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/904,542
Inventor
Chih-Chung Lu
He-Ren Lin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ICP Electronics Inc
Original Assignee
ICP Electronics Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ICP Electronics Inc filed Critical ICP Electronics Inc
Assigned to ICP ELECTRONICS INC. reassignment ICP ELECTRONICS INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LIN, HE-REN, LU, CHIH-CHUNG
Publication of US20060010486A1 publication Critical patent/US20060010486A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/18Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/24Negotiation of communication capabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]

Definitions

  • the present invention relates to a network security active detecting system and a method thereof, and more particularly, to a network security active detecting system and a method thereof capable of providing a proper service according to a security condition of a client end.
  • IA Internet appliances
  • the transmission of the network system is more reliable, but more network bandwidth would be occupied so that the process efficiency of the system would be reduced.
  • there are common ways to provide all kinds of security services One is installing the driven program on the operating system, and the other is utilizing a router gateway to control input/output of packets.
  • the former one would increase the complexity and decrease the stability of the system, and it is not convenient for maintenance of a public machine, such as a public notebook.
  • the latter one would require modifying the network architecture. For example, when a machine with a public IP connected to the Internet directly is connected to the router gateway, the IP address of the machine needs to be modified so that the security service, such as an encryption/decryption service with tunneling, is more complicated.
  • any client end could request to download data from a server end.
  • a receiving end could request to download music or image data from a providing end.
  • the server end has to provide the security service for every client end, even for a non-malicious client end, causing the network to be jammed and causing the efficiency of the server end to decrease.
  • the network security active detecting system and method are for use in a network architecture with a server end and a client end, such as a client-to-server or a peer-to-peer network architecture.
  • the present invention utilizes a Layer 2 Bridge of the TCP/IP protocol instead of modifying the IP address of Layer 3, and processes a data payload of Layer 3 of the packet to operate a security service routine so as to increase the communication transparency. Users still can keep original networking methods instead of changing the network architecture to connect to a router gateway and modifying the IP address, so the system would not become complicated and unstable.
  • the present invention provides a network security active detecting system and a method thereof.
  • the network security active detecting system and method are for use in a network architecture with a server end and a client end, such as a client-to-server or a peer-to-peer network architecture.
  • the network security active detecting system determines the security level of the client automatically.
  • the two network security active detecting systems of the server end and the client end negotiate for a communication protocol with a security service setting value so as to determine a security service routine for packets transmitted between the client end and the server end.
  • a Layer 2 bridge When confirming that the security level of the client end is low, a Layer 2 bridge sends out the packet transmitted from the client end directly without processing. So the present invention can provide the proper security service routine for the packet transmitted between the client end and the server end according to the security level instead of providing security service for every client end which requests to connect in the prior art. The present invention can improve the jammed problem of network and increase the efficiency of the system.
  • a network security active detecting system for connecting to at least one client end and a server end in a network system includes a networking-judging unit for judging whether a networking request of a client end is sent to an authorized network, a security condition detecting unit for determining the security level of the client end after the networking-judging unit confirms the networking request of the client end is sent to the authorized network, a configuration exchange unit for controlling the client end and the server end to negotiate for a communication protocol identified during the networking so as to determine a security service routine, a Layer 3 packet process unit for processing packets transmitted between the client end and the server end with the security service routine according to the communication protocol, and a negotiating mechanism for confirming the networking between the client end and the server end so as to release system resources.
  • a network security active detecting method used in a network system connecting to at least one client end and a server end includes utilizing a security condition detecting unit to determine the security level of the client end according to initial networking between the client end and the server end, negotiating for a communication protocol identified during the networking between the client end and the server end so as to determine a security service routine when confirming that the security level of the client end is high, processing the packet transmitted between the client end and the server end in the security service routine according to the communication protocol, and confirming the networking between the client end and the server end so as to release system resources.
  • FIG. 1 is a functional block diagram of a network security active detecting system according to a preferred embodiment of the present invention.
  • FIG. 2 is a flowchart of the network security active detecting method according to a preferred embodiment of the present invention.
  • FIG. 3 illustrates initial networking
  • FIG. 4 illustrates the operating principle of the packet process mechanism.
  • FIG. 5 is a diagram of a three-way handshaking networking between a network security active detecting system for a client end and a server end according to a first embodiment of the present invention.
  • FIG. 6 is a diagram of a three-way handshaking networking between a client end and a network security active detecting system for a server end according to a second embodiment of the present invention.
  • FIG. 7 is a diagram of a three-way handshaking networking between a network security active detecting system for a client end and a network security active detecting system for a server end according to a third embodiment of the present invention.
  • FIG. 8 is a diagram of a three-way handshaking networking between a network security active detecting system for a client end and a network security active detecting system for a server end according to a fourth embodiment of the present invention.
  • FIG. 1 is a functional block diagram of a network security active detecting system 10 according to a preferred embodiment of the present invention.
  • the network security active detecting system 10 is used in a network with at least one client end and a server end.
  • the network security active detecting system 10 includes a networking-judging unit 100 , a Layer 2 bridge, a security condition detecting unit 120 , a configuration exchange unit 130 , a Layer 3 packet process unit 140 , and a negotiating mechanism 150 .
  • the network security active detecting system 10 further includes at least one active bridge of the preferred embodiment adjacent to the client end or the server end.
  • the networking-judging unit 100 of the network security active detecting system 10 can judge whether an initial networking request of a client end is sent to an authorized network with a check table.
  • the check table records every authorized networking data beforehand including a Layer 2 MAC address of the client, a Layer 3 IP address, or a Layer 4 service port number.
  • any packet transmitted from the client end will be recorded and a Layer 2 bridge will send out the packet transmitted from the client end directly without processing.
  • the security condition detecting unit 120 includes a packet process mechanism 124 for dealing with an operation of the initial networking between the client end and the server end when the networking-judging unit 100 confirms that the networking request of the client end is sent to the authorized network.
  • FIG. 4 illustrates the operating principle of the packet process mechanism 124 .
  • the packet process mechanism 124 can operate a function f(X) for an identification X of a head of the packet transmitted from a network security active detecting system 32 and operate an inverse function f ⁇ 1 (X′) for an identification X′ of a head of the packet received by the network security active detecting system 42 during the networking between a client end 40 and a server end 44 .
  • the security condition detecting unit 120 will determine the security level of the client end 40 according to the comparison between the operating result of f ⁇ 1 (X′) and a predetermined progressive value (SN+1). If the operating result of f ⁇ 1 (X′) is equal to the predetermined progressive value (SN+1), the security of the client end is high. That is, the client end 40 includes the network security active detecting system 10 corresponding to the network security active detecting system 32 . On the contrary, if the operating result of f ⁇ 1 (X′) is not equal to the predetermined progressive value (SN+1), the security of the client end is low. That is, the client end 40 does not include the network security active detecting system 10 corresponding to the network security active detecting system 32 . The derivation of the predetermined progressive value (SN+1) will be described later.
  • the packet process mechanism 124 of the security condition detecting unit 120 operates the function f(X) for the identification of the head of the packet so that information of the packet will not be erased after being transmitted between several network apparatuses.
  • FIG. 3 illustrates initial networking.
  • the initial networking corresponding with TCP/IP between a client end 30 and a server end 34 is a three-way handshaking networking for transmitting SYN packets, ACK+SYN packets, and ACK packets.
  • the handshaking is used to establish pre-communication between the client end 30 and the server end 34 before the initial networking so that the networking can be confirmed and the identity of the respective protocols can be confirmed.
  • the operation of the initial networking between the client end and the server end processed by the packet process mechanism 124 of the security condition detecting unit 120 is illustrated in FIG. 5, 6 , 7 , 8 instead of the initial networking in FIG. 3 .
  • the configuration exchange unit 130 can control the client end and the server end to negotiate for a communication protocol so as to get setting details of the respective network security active detecting systems from each other when the security condition detecting unit 120 determines that the security level of the client end is high.
  • the three-way handshaking networking can ensure that the client end and the server end can share information with each other via the designated packet in consideration of the time out problem and the retransmission problem.
  • the detailed information of the networking can be stored in the packet in a manner dependent on the communication type.
  • the detailed information carried in the packet can be a security service setting value corresponding with the protocol identified by the client end and the server end, which is used in a security service routine, such as an encryption/decryption service, a digital signature service, or a pattern match service.
  • a security service routine such as an encryption/decryption service, a digital signature service, or a pattern match service.
  • the security service setting value used in the encryption/decryption service can be an encryption algorithm and a corresponding enciphering/deciphering key.
  • the Layer 3 packet process unit 140 processes packets transmitted between the client end and the server end with the security service routine according to the communication protocol. That is, the Layer 3 packet process unit 140 processes a data payload of the Layer 3 of the packet transmitted between the client end and the server end according to the security service setting value when the Layer 3 packet process unit 140 operates the security service routine.
  • the network security active detecting system receives the packet of the non-authorized network from a network port. And then the network security active detecting system sends out the packet of the non-authorized network via a Layer 2 bridge (TCP/IP layer 2 bridge) 102 after the packet of the non-authorized network is checked on layer 2 and is not processed on layer 3.
  • TCP/IP layer 2 bridge Layer 2 bridge
  • the network security active detecting system 10 cannot disclose the IP address of layer 3 and processes the data after the head of the packet on layer 3. That is, the network security active detecting system 10 processes the data above the layer 3 payload.
  • the network security active detecting system according to the present invention builds up a tunnel on layer 3 with agent identification and sends back the packet, and the network security active detecting system sends out the packet via the tunnel in the opposite direction.
  • the action of the network security active detecting system is terminated.
  • the termination of the network security active detecting system depends on a time-out mechanism. For example, when there is no packet flowing through the network security active detecting system during a predetermined period, the action of the network security active detecting system is terminated. And then the network security active detecting system would activate the negotiating mechanism 150 to confirm the networking between the client end and the server end so as to release system resources.
  • FIG. 2 is a flowchart of the network security active detecting method according to a preferred embodiment of the present invention.
  • the network security active detecting method is used in a network with at least one client end and a server end. And the network system includes at least one active bridge adjacent to the client end or the server end.
  • the method includes the following steps:
  • Step 200 Detect the packet transmitted between the client end and the server end.
  • Step 210 Utilize a networking-judging unit 100 to determine whether an initial networking request of a client end is sent to an authorized network.
  • Step 212 When the networking-judging unit 100 determines that the networking request of the client end is not sent to the authorized network, any packet transmitted from the client end will be sent out by a Layer 2 bridge. On the contrary, when the networking-judging unit 100 determines that the networking request of the client end is sent to the authorized network, go to step 220 .
  • Step 220 Utilize a security condition detecting unit to determine the security level of the client end.
  • the security condition detecting unit processes a packet process mechanism shown in step 222 , step 223 , and step 224 in FIG. 5 , FIG. 6 , FIG. 7 , and FIG. 8 . That is, the packet process mechanism operates a function for an identification of a head of the packet transmitted from the security condition detecting unit and operates an inverse function for an identification of a head of the packet received by the security condition detecting unit. And then the security condition detecting unit will operate the actions shown in FIG. 5 , FIG. 6 , FIG. 7 , and FIG. 8 .
  • the security condition detecting unit determines the security level of the client end according to the comparison between the operating result of the identification of the head of the packet and a predetermined progressive value. If the operating result is equal to the predetermined progressive value, the security of the client end is high. On the contrary, if the operating result is not equal to the predetermined progressive value, the security of the client end is low.
  • Step 220 is an active detection step.
  • Step 230 Utilize a configuration exchange unit 130 to control the client end and the server end to negotiate for a communication protocol identified during the networking so as to determine a security service routine when the security condition detecting unit confirms that the security of the client end is high.
  • Step 230 is a setting exchange step.
  • Step 240 Utilize a Layer 3 packet process unit 140 to process a data payload on Layer 3 of the packet transmitted between the client end and the server end with the security service routine according to a security service setting value of the communication protocol.
  • Step 240 is a Layer 3 packet process service step.
  • Step 250 Utilize a negotiating mechanism 150 to confirm the networking between the client end and the server end so as to release system resources.
  • Step 250 Utilize a negotiating mechanism 150 to confirm the networking between the client end and the server end so as to release system resources.
  • FIG. 5 is a diagram of a three-way handshaking networking between a network security active detecting system 52 for a client end 50 and a server end 54 according to a first embodiment of the present invention.
  • the network security active detecting system 52 When the client end 50 sends a packet with a SYN message and an identification SN0 of a head, the network security active detecting system 52 will operate the packet process mechanism in step 222 . That is, a function f(SN0) is operated, and a packet with the SYN message and f(SN0) relative to the identification of the head will be transmitted to the server 54 .
  • step 226 will be processed. That is, an inverse function f ⁇ 1 (SN1) is operated, and then the operating result of f ⁇ 1 (SN1) is compared with a predetermined progressive value SN0+1.
  • the network security active detecting system 52 for the client end 50 only transmits the packet with ACK+SYN+SN1 message to the network security active detecting system 52 without other processing, and then the client end 50 will add SN1 by 1 to SN2 and transmit the packet with ACK+SN2 message to the server end 54 to end the networking.
  • FIG. 6 is a diagram of a three-way handshaking networking between a client end 60 and a network security active detecting system 62 for a server end 64 according to a second embodiment of the present invention.
  • the network security active detecting system 62 for the server end 64 will operate the packet process mechanism in step 222 . That is, an inverse function f ⁇ 1 (SN0) is operated, and a packet with the SYN message and f ⁇ 1 (SN0) relative to the identification of the head will be transmitted to the server 64 .
  • a function f(SN1) is operated and a packet with the ACK+SYN+f(SN1) message will be transmitted to the client end 60 .
  • the network security active detecting system 62 will operate step 226 . That is, an inverse function f ⁇ 1 (SN2) is operated, and then the operating result of f ⁇ 1 (SN2) is compared with a predetermined progressive value SN1+1. If the operating result of f ⁇ 1 (SN2) is not equal to a predetermined progressive value SN1+1, that means a corresponding network security active detecting system is not installed in the client end 60 so that the security level is low. Therefore the network security active detecting system 62 for the server end 64 only transmits the packet with the ACK+SN2 message to the server end 64 without other processing to end the networking.
  • FIG. 7 is a diagram of a three-way handshaking networking between a network security active detecting system 72 for a client end 70 and a network security active detecting system 73 for a server end 74 according to a third embodiment of the present invention.
  • the network security active detecting system 72 for the client end 70 will operate the packet process mechanism in step 222 . That is, a function f(SN0) is operated, and a packet with the SYN message and f(SN0) will be transmitted to the network security active detecting system 73 for the client end 74 .
  • step 224 will be processed. That is, a function f(SN1) is operated, and a packet with the ACK+SYN+f(SN1) message will be transmitted to the network security active detecting system 72 for the client end 70 . And then step 226 will be processed by the network security active detecting system 72 for the client end 70 .
  • an inverse function f ⁇ 1 (f(SN1)) is operated, and then the operating result of f ⁇ 1 (f(SN1)), SN1, is compared with a predetermined progressive value SN0+1. If SN1 is equal to the predetermined progressive value SN0+1, that means a corresponding network security active detecting system is installed in the client end 70 so that the security level is high.
  • FIG. 8 is a diagram of a three-way handshaking networking between a network security active detecting system 82 for a client end 80 and a network security active detecting system 83 for a server end 84 according to a fourth embodiment of the present invention.
  • the fourth embodiment is similar with the third embodiment.
  • the difference between the fourth embodiment and the third embodiment is that the network security active detecting system 72 for the client end 70 is responsible for determining the security level in the third embodiment as shown in FIG. 7 and the network security active detecting system 82 for the client end 80 is responsible for determining the security level in the fourth embodiment as shown in FIG. 8 .
  • the other working principles of the third embodiment and the fourth embodiment are the same.
  • the network security active detecting system and method thereof only processes the security service routine to the data payload of the packet on layer 3 instead of modifying the IP address on layer 3 so that the present invention can increase the communication transparency and so the system according to the present invention does not become complicated and unstable, no matter if it is used in a client-to-server network architecture or a peer-to-peer network architecture. Users still can keep original networking methods instead of changing the network architecture to connect to a router gateway and modifying the IP address, so the system does not become complicated and unstable.
  • the network security active detecting system can detect the security level of the opposite networking end automatically and determine if the network security active detecting system operates a corresponding security service routine to the packet transmitted between the client end and the server end according to the security level.
  • the security level of the opposite networking end is low, a Layer 2 Bridge will send out the packet directly without processing. So the present invention can provide the proper security service routine for the packet transmitted between the client end and the server end according to the security level instead of providing security service for every client end.
  • the present invention can improve the jammed problem occurring in the network and increase the efficiency of the system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A network security active detecting system for connecting to at least one client end and a server end in a network system includes a networking-judging unit for judging whether a networking request of a client end is sent to an authorized network, a security condition detecting unit for determining the security level of the client end after the networking-judging unit confirms the networking request of the client end is sent to the authorized network, a configuration exchange unit for controlling the client and server ends to negotiate for a communication protocol identified during the networking so as to determine a security service routine, a Layer 3 packet process unit for processing packets transmitted between the client end and the server end with the security service routine according to the communication protocol, and a negotiating mechanism for confirming the networking between the client and server ends for releasing system resources.

Description

    BACKGROUND OF INVENTION
  • 1. Field of the Invention
  • The present invention relates to a network security active detecting system and a method thereof, and more particularly, to a network security active detecting system and a method thereof capable of providing a proper service according to a security condition of a client end.
  • 2. Description of the Prior Art
  • With the rapid development of network technology, packets loaded private information such as confidential data, personal ID, and password, can be easily and quickly transmitted through a public network system (e.g. the Internet). However, a cunning hacker is able to intrude and intercept the data from the public-used network system. Therefore, it is a very important topic for maintaining the safety of transmitted data over the public-used network. Nowadays, various types of Internet appliances (IA) such as security gateways, routers, or firewall devices are developed. Through the use of a specific security standard (e.g. FTP, HTTP or Telnet etc.), such Internet appliances disposed at either a client end or a server end of the network system can provide the security on the data transmitted across the network system.
  • If there are more network security mechanisms or devices to provide the security service, such as an encryption/decryption service, a digital signature service, or a packet filter service, the transmission of the network system is more reliable, but more network bandwidth would be occupied so that the process efficiency of the system would be reduced. In addition, there are common ways to provide all kinds of security services. One is installing the driven program on the operating system, and the other is utilizing a router gateway to control input/output of packets. The former one would increase the complexity and decrease the stability of the system, and it is not convenient for maintenance of a public machine, such as a public notebook. The latter one would require modifying the network architecture. For example, when a machine with a public IP connected to the Internet directly is connected to the router gateway, the IP address of the machine needs to be modified so that the security service, such as an encryption/decryption service with tunneling, is more complicated.
  • For client-server network architecture, any client end could request to download data from a server end. Or for peer-to-peer network architecture, a receiving end could request to download music or image data from a providing end. When multiple client ends ask to connect with a server end for downloading data, the server end has to provide the security service for every client end, even for a non-malicious client end, causing the network to be jammed and causing the efficiency of the server end to decrease.
    • SUMMARY OF INVENTION
  • It is therefore a primary objective of the present invention to provide a network security active detecting system and a method thereof to solve the problem mentioned above. The network security active detecting system and method are for use in a network architecture with a server end and a client end, such as a client-to-server or a peer-to-peer network architecture. The present invention utilizes a Layer 2 Bridge of the TCP/IP protocol instead of modifying the IP address of Layer 3, and processes a data payload of Layer 3 of the packet to operate a security service routine so as to increase the communication transparency. Users still can keep original networking methods instead of changing the network architecture to connect to a router gateway and modifying the IP address, so the system would not become complicated and unstable.
  • Furthermore the present invention provides a network security active detecting system and a method thereof. The network security active detecting system and method are for use in a network architecture with a server end and a client end, such as a client-to-server or a peer-to-peer network architecture. When a networking request of a client end is sent to an authorized network, the network security active detecting system determines the security level of the client automatically. When confirming that the security level of the client end is high, the two network security active detecting systems of the server end and the client end negotiate for a communication protocol with a security service setting value so as to determine a security service routine for packets transmitted between the client end and the server end. When confirming that the security level of the client end is low, a Layer 2 bridge sends out the packet transmitted from the client end directly without processing. So the present invention can provide the proper security service routine for the packet transmitted between the client end and the server end according to the security level instead of providing security service for every client end which requests to connect in the prior art. The present invention can improve the jammed problem of network and increase the efficiency of the system.
  • According to the claimed invention, a network security active detecting system for connecting to at least one client end and a server end in a network system includes a networking-judging unit for judging whether a networking request of a client end is sent to an authorized network, a security condition detecting unit for determining the security level of the client end after the networking-judging unit confirms the networking request of the client end is sent to the authorized network, a configuration exchange unit for controlling the client end and the server end to negotiate for a communication protocol identified during the networking so as to determine a security service routine, a Layer 3 packet process unit for processing packets transmitted between the client end and the server end with the security service routine according to the communication protocol, and a negotiating mechanism for confirming the networking between the client end and the server end so as to release system resources.
  • According to the claimed invention, a network security active detecting method used in a network system connecting to at least one client end and a server end includes utilizing a security condition detecting unit to determine the security level of the client end according to initial networking between the client end and the server end, negotiating for a communication protocol identified during the networking between the client end and the server end so as to determine a security service routine when confirming that the security level of the client end is high, processing the packet transmitted between the client end and the server end in the security service routine according to the communication protocol, and confirming the networking between the client end and the server end so as to release system resources.
  • These and other objectives of the claimed invention will no doubt become obvious to those of ordinary skill in the art after reading the following detailed description of the preferred embodiment that is illustrated in the various figures and drawings.
    • BRIEF DESCRIPTION OF DRAWINGS
  • FIG. 1 is a functional block diagram of a network security active detecting system according to a preferred embodiment of the present invention.
  • FIG. 2 is a flowchart of the network security active detecting method according to a preferred embodiment of the present invention.
  • FIG. 3 illustrates initial networking.
  • FIG. 4 illustrates the operating principle of the packet process mechanism.
  • FIG. 5 is a diagram of a three-way handshaking networking between a network security active detecting system for a client end and a server end according to a first embodiment of the present invention.
  • FIG. 6 is a diagram of a three-way handshaking networking between a client end and a network security active detecting system for a server end according to a second embodiment of the present invention.
  • FIG. 7 is a diagram of a three-way handshaking networking between a network security active detecting system for a client end and a network security active detecting system for a server end according to a third embodiment of the present invention.
  • FIG. 8 is a diagram of a three-way handshaking networking between a network security active detecting system for a client end and a network security active detecting system for a server end according to a fourth embodiment of the present invention.
    • DETAILED DESCRIPTION
  • Please refer to FIG. 1. FIG. 1 is a functional block diagram of a network security active detecting system 10 according to a preferred embodiment of the present invention. The network security active detecting system 10 is used in a network with at least one client end and a server end. The network security active detecting system 10 includes a networking-judging unit 100, a Layer 2 bridge, a security condition detecting unit 120, a configuration exchange unit 130, a Layer 3 packet process unit 140, and a negotiating mechanism 150. And the network security active detecting system 10 further includes at least one active bridge of the preferred embodiment adjacent to the client end or the server end.
  • The networking-judging unit 100 of the network security active detecting system 10 can judge whether an initial networking request of a client end is sent to an authorized network with a check table. The check table records every authorized networking data beforehand including a Layer 2 MAC address of the client, a Layer 3 IP address, or a Layer 4 service port number. When the networking-judging unit 100 determines that the networking request of the client end is not sent to the authorized network, any packet transmitted from the client end will be recorded and a Layer 2 bridge will send out the packet transmitted from the client end directly without processing.
  • The security condition detecting unit 120 includes a packet process mechanism 124 for dealing with an operation of the initial networking between the client end and the server end when the networking-judging unit 100 confirms that the networking request of the client end is sent to the authorized network. Please refer to FIG. 4. FIG. 4 illustrates the operating principle of the packet process mechanism 124. The packet process mechanism 124 can operate a function f(X) for an identification X of a head of the packet transmitted from a network security active detecting system 32 and operate an inverse function f−1(X′) for an identification X′ of a head of the packet received by the network security active detecting system 42 during the networking between a client end 40 and a server end 44. The security condition detecting unit 120 will determine the security level of the client end 40 according to the comparison between the operating result of f−1(X′) and a predetermined progressive value (SN+1). If the operating result of f−1(X′) is equal to the predetermined progressive value (SN+1), the security of the client end is high. That is, the client end 40 includes the network security active detecting system 10 corresponding to the network security active detecting system 32. On the contrary, if the operating result of f−1(X′) is not equal to the predetermined progressive value (SN+1), the security of the client end is low. That is, the client end 40 does not include the network security active detecting system 10 corresponding to the network security active detecting system 32. The derivation of the predetermined progressive value (SN+1) will be described later.
  • The packet process mechanism 124 of the security condition detecting unit 120 operates the function f(X) for the identification of the head of the packet so that information of the packet will not be erased after being transmitted between several network apparatuses. There is a serial number in the 16-bit identification field of the IP head for sequence identification of the single packet. That is, the serial number will be added by 1 after the client end/the server end sends out a packet. So the predetermined progressive value (SN+1) is derived from the above principle. Because the field is not used frequently, the information of the network security active detecting system can be stored in the field.
  • Please refer to FIG. 3. FIG. 3 illustrates initial networking. The initial networking corresponding with TCP/IP between a client end 30 and a server end 34 is a three-way handshaking networking for transmitting SYN packets, ACK+SYN packets, and ACK packets. The handshaking is used to establish pre-communication between the client end 30 and the server end 34 before the initial networking so that the networking can be confirmed and the identity of the respective protocols can be confirmed. In the embodiment of the present invention the operation of the initial networking between the client end and the server end processed by the packet process mechanism 124 of the security condition detecting unit 120 is illustrated in FIG. 5, 6, 7, 8 instead of the initial networking in FIG. 3.
  • The configuration exchange unit 130 can control the client end and the server end to negotiate for a communication protocol so as to get setting details of the respective network security active detecting systems from each other when the security condition detecting unit 120 determines that the security level of the client end is high. For example, the three-way handshaking networking can ensure that the client end and the server end can share information with each other via the designated packet in consideration of the time out problem and the retransmission problem. In addition, the detailed information of the networking can be stored in the packet in a manner dependent on the communication type. The detailed information carried in the packet can be a security service setting value corresponding with the protocol identified by the client end and the server end, which is used in a security service routine, such as an encryption/decryption service, a digital signature service, or a pattern match service. For example, the security service setting value used in the encryption/decryption service can be an encryption algorithm and a corresponding enciphering/deciphering key.
  • The Layer 3 packet process unit 140 processes packets transmitted between the client end and the server end with the security service routine according to the communication protocol. That is, the Layer 3 packet process unit 140 processes a data payload of the Layer 3 of the packet transmitted between the client end and the server end according to the security service setting value when the Layer 3 packet process unit 140 operates the security service routine. The network security active detecting system receives the packet of the non-authorized network from a network port. And then the network security active detecting system sends out the packet of the non-authorized network via a Layer 2 bridge (TCP/IP layer 2 bridge) 102 after the packet of the non-authorized network is checked on layer 2 and is not processed on layer 3. This is because the network security active detecting system 10 cannot disclose the IP address of layer 3 and processes the data after the head of the packet on layer 3. That is, the network security active detecting system 10 processes the data above the layer 3 payload. The network security active detecting system according to the present invention builds up a tunnel on layer 3 with agent identification and sends back the packet, and the network security active detecting system sends out the packet via the tunnel in the opposite direction.
  • For a session oriented networking, such as TCP/IP, when the networking session is going to close, the action of the network security active detecting system is terminated. For a non-session oriented networking, such as UDP, the termination of the network security active detecting system depends on a time-out mechanism. For example, when there is no packet flowing through the network security active detecting system during a predetermined period, the action of the network security active detecting system is terminated. And then the network security active detecting system would activate the negotiating mechanism 150 to confirm the networking between the client end and the server end so as to release system resources.
  • Please refer to FIG. 2. FIG. 2 is a flowchart of the network security active detecting method according to a preferred embodiment of the present invention. The network security active detecting method is used in a network with at least one client end and a server end. And the network system includes at least one active bridge adjacent to the client end or the server end. The method includes the following steps:
  • Step 200: Detect the packet transmitted between the client end and the server end.
  • Step 210: Utilize a networking-judging unit 100 to determine whether an initial networking request of a client end is sent to an authorized network.
  • Step 212: When the networking-judging unit 100 determines that the networking request of the client end is not sent to the authorized network, any packet transmitted from the client end will be sent out by a Layer 2 bridge. On the contrary, when the networking-judging unit 100 determines that the networking request of the client end is sent to the authorized network, go to step 220.
  • Step 220: Utilize a security condition detecting unit to determine the security level of the client end. The security condition detecting unit processes a packet process mechanism shown in step 222, step 223, and step 224 in FIG. 5, FIG. 6, FIG. 7, and FIG. 8. That is, the packet process mechanism operates a function for an identification of a head of the packet transmitted from the security condition detecting unit and operates an inverse function for an identification of a head of the packet received by the security condition detecting unit. And then the security condition detecting unit will operate the actions shown in FIG. 5, FIG. 6, FIG. 7, and FIG. 8. The security condition detecting unit determines the security level of the client end according to the comparison between the operating result of the identification of the head of the packet and a predetermined progressive value. If the operating result is equal to the predetermined progressive value, the security of the client end is high. On the contrary, if the operating result is not equal to the predetermined progressive value, the security of the client end is low. Step 220 is an active detection step.
  • Step 230: Utilize a configuration exchange unit 130 to control the client end and the server end to negotiate for a communication protocol identified during the networking so as to determine a security service routine when the security condition detecting unit confirms that the security of the client end is high. Step 230 is a setting exchange step.
  • Step 240: Utilize a Layer 3 packet process unit 140 to process a data payload on Layer 3 of the packet transmitted between the client end and the server end with the security service routine according to a security service setting value of the communication protocol. Step 240 is a Layer 3 packet process service step.
  • Step 250: Utilize a negotiating mechanism 150 to confirm the networking between the client end and the server end so as to release system resources. When the initial networking is terminated, go to step 200 and process the next packet of the initial networking.
  • Please refer to FIG. 5. FIG. 5 is a diagram of a three-way handshaking networking between a network security active detecting system 52 for a client end 50 and a server end 54 according to a first embodiment of the present invention. When the client end 50 sends a packet with a SYN message and an identification SN0 of a head, the network security active detecting system 52 will operate the packet process mechanism in step 222. That is, a function f(SN0) is operated, and a packet with the SYN message and f(SN0) relative to the identification of the head will be transmitted to the server 54. After the server end 54 receives the packet, a progressive value SN1 (SN1=f(SN0)+1) is derived from f(SN0) being added by 1. And then the server end 54 will reply with a packet containing an ACK and SYN message and an identification SN1 of a head. When the network security active detecting system 52 receives the packet with ACK+SYN+SN1 message, step 226 will be processed. That is, an inverse function f−1(SN1) is operated, and then the operating result of f−1(SN1) is compared with a predetermined progressive value SN0+1. If the operating result of f−1(X′) is not equal to the predetermined progressive value SN0+1, that means a corresponding network security active detecting system is not installed in the server end 54 so that the security level is low. Therefore the network security active detecting system 52 for the client end 50 only transmits the packet with ACK+SYN+SN1 message to the network security active detecting system 52 without other processing, and then the client end 50 will add SN1 by 1 to SN2 and transmit the packet with ACK+SN2 message to the server end 54 to end the networking.
  • Please refer to FIG. 6. FIG. 6 is a diagram of a three-way handshaking networking between a client end 60 and a network security active detecting system 62 for a server end 64 according to a second embodiment of the present invention. After the client end 60 sends out a packet with a SYN message and an identification SN0 of a head, the network security active detecting system 62 for the server end 64 will operate the packet process mechanism in step 222. That is, an inverse function f−1(SN0) is operated, and a packet with the SYN message and f−1(SN0) relative to the identification of the head will be transmitted to the server 64. After the server end 64 receives the packet, a progressive value SN1 (SN1=f−1(SN0)+1) is derived from f−1 (SN0) being added by 1. And then the server end 64 will reply with a packet containing an ACK and SYN message and an identification SN1 of a head. When the network security active detecting system 62 receives the packet with ACK+SYN+SN1 message, a function f(SN1) is operated and a packet with the ACK+SYN+f(SN1) message will be transmitted to the client end 60. After the client end 60 receives the packet, SN2 is derived from f(SN1) being added by 1 (SN2=f(SN1)+1). And then a packet with ACK+SN2 message will be transmitted to the network security active detecting system 62. The network security active detecting system 62 will operate step 226. That is, an inverse function f−1(SN2) is operated, and then the operating result of f−1(SN2) is compared with a predetermined progressive value SN1+1. If the operating result of f−1(SN2) is not equal to a predetermined progressive value SN1+1, that means a corresponding network security active detecting system is not installed in the client end 60 so that the security level is low. Therefore the network security active detecting system 62 for the server end 64 only transmits the packet with the ACK+SN2 message to the server end 64 without other processing to end the networking.
  • Please refer to FIG. 7. FIG. 7 is a diagram of a three-way handshaking networking between a network security active detecting system 72 for a client end 70 and a network security active detecting system 73 for a server end 74 according to a third embodiment of the present invention. After the client end 70 sends out a packet with a SYN message and an identification SN0 of a head, the network security active detecting system 72 for the client end 70 will operate the packet process mechanism in step 222. That is, a function f(SN0) is operated, and a packet with the SYN message and f(SN0) will be transmitted to the network security active detecting system 73 for the client end 74. After the server end 74 receives the packet, a progressive value SN1 (SN1=SN0+1) is derived from SN0 being added by 1. And then the server end 74 will reply with a packet containing an ACK+SYN+SN1 message. When the network security active detecting system 73 for the server end 74 receives the packet with the ACK+SYN+SN1 message, step 224 will be processed. That is, a function f(SN1) is operated, and a packet with the ACK+SYN+f(SN1) message will be transmitted to the network security active detecting system 72 for the client end 70. And then step 226 will be processed by the network security active detecting system 72 for the client end 70. That is, an inverse function f−1(f(SN1)) is operated, and then the operating result of f−1(f(SN1)), SN1, is compared with a predetermined progressive value SN0+1. If SN1 is equal to the predetermined progressive value SN0+1, that means a corresponding network security active detecting system is installed in the client end 70 so that the security level is high. Therefore the network security active detecting system 73 for the server end 74 starts to prepare the security service and transmits the packet with the ACK+SYN+SN1 message to the client end 70, and then the client end 70 will add 1 to SN1 to calculate SN2 (SN2=SN1+1) and transmit the packet with a ACK+SN2 message to the server end 74 to end the networking.
  • Please refer to FIG. 8. FIG. 8 is a diagram of a three-way handshaking networking between a network security active detecting system 82 for a client end 80 and a network security active detecting system 83 for a server end 84 according to a fourth embodiment of the present invention. The fourth embodiment is similar with the third embodiment. The difference between the fourth embodiment and the third embodiment is that the network security active detecting system 72 for the client end 70 is responsible for determining the security level in the third embodiment as shown in FIG. 7 and the network security active detecting system 82 for the client end 80 is responsible for determining the security level in the fourth embodiment as shown in FIG. 8. The other working principles of the third embodiment and the fourth embodiment are the same.
  • In the above-mentioned embodiments, the network security active detecting system and method thereof only processes the security service routine to the data payload of the packet on layer 3 instead of modifying the IP address on layer 3 so that the present invention can increase the communication transparency and so the system according to the present invention does not become complicated and unstable, no matter if it is used in a client-to-server network architecture or a peer-to-peer network architecture. Users still can keep original networking methods instead of changing the network architecture to connect to a router gateway and modifying the IP address, so the system does not become complicated and unstable. In addition, the network security active detecting system according to the present invention can detect the security level of the opposite networking end automatically and determine if the network security active detecting system operates a corresponding security service routine to the packet transmitted between the client end and the server end according to the security level. When the security level of the opposite networking end is low, a Layer 2 Bridge will send out the packet directly without processing. So the present invention can provide the proper security service routine for the packet transmitted between the client end and the server end according to the security level instead of providing security service for every client end. The present invention can improve the jammed problem occurring in the network and increase the efficiency of the system.
  • Following the detailed description of the present invention above, those skilled in the art will readily observe that numerous modifications and alterations of the device and the method may be made while retaining the teachings of the invention. Accordingly, the above disclosure should be construed as limited only by the metes and bounds of the appended claims.

Claims (20)

1. A network security active detecting system for connecting to at least one client end and a server end in a network system comprising:
a networking-judging unit for judging whether a networking request of a client end is sent to an authorized network;
a security condition detecting unit for determining the security level of the client end after the networking-judging unit confirms the networking request of the client end is sent to the authorized network;
a configuration exchange unit for controlling the client end and the server end to negotiate for a communication protocol identified during the networking so as to determine a security service routine;
a Layer 3 packet process unit for processing packets transmitted between the client end and the server end with the security service routine according to the communication protocol; and
a negotiating mechanism for confirming the networking between the client end and the server end so as to release system resources.
2. The network security active detecting system of claim 1 wherein the networking-judging unit comprises a check table for recording every authorized networking data beforehand comprising a Layer 2 MAC address, a Layer 3 IP address, or a Layer 4 service port number.
3. The network security active detecting system of claim 1 wherein when the networking-judging unit determines that the networking request of the client end is not sent to the authorized network, a Layer 2 Bridge sends out the packet transmitted from the client end directly.
4. The network security active detecting system of claim 1 wherein the security condition detecting unit comprises a packet process mechanism for operating a function for an identification of a head of the packet transmitted from the network security active detecting system and operating an inverse function for an identification of a head of the packet received by the network security active detecting system during the initial networking between the client end and the server end.
5. The network security active detecting system of claim 4 wherein the initial networking between the client end and the server end is a three-way handshaking networking for transmitting SYN packets, ACK+SYN packets, and ACK packets.
6. The network security active detecting system of claim 4 wherein the security condition detecting unit determines the security level of the client end according to the comparison between an operating result of the identification of the head of the packet received by the network security active detecting system and a predetermined progressive value.
7. The network security active detecting system of claim 1 wherein the communication protocol negotiated by the client end and the server end comprises a security service setting value.
8. The network security active detecting system of claim 7 wherein the security service routine comprises an encryption/decryption service, a digital signature service, or a pattern match service.
9. The network security active detecting system of claim 7 wherein the Layer 3 packet process unit processes a data payload on Layer 3 of the packet transmitted between the client end and the server end according to the security service setting value when the Layer 3 packet process unit operates the security service routine.
10. A network security active detecting method for use in a network system connecting to at least one client end and a server end comprising:
utilizing a security condition detecting unit to determine the security level of the client end according to initial networking between the client end and the server end;
negotiating for a communication protocol identified during the networking between the client end and the server end so as to determine a security service routine when confirming that the security level of the client end is high;
processing the packet transmitted between the client end and the server end in the security service routine according to the communication protocol; and
confirming the networking between the client end and server end so as to release system resources.
11. The network security active detecting method of claim 10 further comprising utilizing a networking-judging unit for judging whether a networking request of the client end is sent to an authorized network.
12. The network security active detecting method of claim 11 wherein the networking-judging unit comprises a check table for recording every authorized networking data beforehand comprising a Layer 2 MAC address, a Layer 3 IP address, or a Layer 4 service port number.
13. The network security active detecting method of claim 11 wherein when the networking-judging unit determines that the networking request of the client end is not sent to the authorized network, a Layer 2 Bridge sends out the packet transmitted from the client end directly.
14. The network security active detecting method of claim 11 wherein when the networking-judging unit determines the networking request of the client end is sent to the authorized network, the initial networking between the client end and the server end is processed.
15. The network security active detecting method of claim 10 wherein the initial networking between the client end and the server end is a three-way handshaking networking for transmitting SYN packets, ACK+SYN packets, and ACK packets.
16. The network security active detecting method of claim 10 further comprising operating a function for an identification of a head of the packet transmitted from the security condition detecting unit and operating an inverse function for an identification of a head of the packet received by the security condition detecting unit during the initial networking between the client end and the server end.
17. The network security active detecting method of claim 16 wherein the security condition detecting unit determines the security level of the client end according to the comparison between an operating result of the identification of the head of the packet received by the security condition detecting unit and a predetermined progressive value.
18. The network security active detecting method of claim 10 wherein the communication protocol negotiated by the client end and the server end comprises a security service setting value.
19. The network security active detecting method of claim 18 wherein the security service routine comprises an encryption/decryption service, a digital signature service, or a pattern match service.
20. The network security active detecting method of claim 19 wherein the security service setting value of the encryption/decryption service comprises an encryption algorithm and a corresponding enciphering/deciphering key.
US10/904,542 2004-07-09 2004-11-16 Network security active detecting system and method thereof Abandoned US20060010486A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TW093120531A TWI253267B (en) 2004-07-09 2004-07-09 Network security active detection system and method
TW093120531 2004-07-09

Publications (1)

Publication Number Publication Date
US20060010486A1 true US20060010486A1 (en) 2006-01-12

Family

ID=35542817

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/904,542 Abandoned US20060010486A1 (en) 2004-07-09 2004-11-16 Network security active detecting system and method thereof

Country Status (2)

Country Link
US (1) US20060010486A1 (en)
TW (1) TWI253267B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009076072A1 (en) * 2007-12-13 2009-06-18 Microsoft Corporation Proxy with layer 3 security
US20110029679A1 (en) * 2009-07-31 2011-02-03 Canon Kabushiki Kaisha Communication apparatus, communication method and program
US20130179537A1 (en) * 2012-01-10 2013-07-11 International Business Machines Corporation Transmitting of configuration items within a network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6055236A (en) * 1998-03-05 2000-04-25 3Com Corporation Method and system for locating network services with distributed network address translation
US20040088571A1 (en) * 2002-01-31 2004-05-06 John Jerrim Network service zone locking
US20040170129A1 (en) * 2002-12-16 2004-09-02 Ntt Docomo, Inc. Automatic detecting method for protocol nonconformity and automatic detecting apparatus for protocol nonconformity

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6055236A (en) * 1998-03-05 2000-04-25 3Com Corporation Method and system for locating network services with distributed network address translation
US20040088571A1 (en) * 2002-01-31 2004-05-06 John Jerrim Network service zone locking
US20040170129A1 (en) * 2002-12-16 2004-09-02 Ntt Docomo, Inc. Automatic detecting method for protocol nonconformity and automatic detecting apparatus for protocol nonconformity

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009076072A1 (en) * 2007-12-13 2009-06-18 Microsoft Corporation Proxy with layer 3 security
US8635440B2 (en) 2007-12-13 2014-01-21 Microsoft Corporation Proxy with layer 3 security
US20110029679A1 (en) * 2009-07-31 2011-02-03 Canon Kabushiki Kaisha Communication apparatus, communication method and program
US9380131B2 (en) * 2009-07-31 2016-06-28 Canon Kabushiki Kaisha Communication apparatus, communication method and program
US20130179537A1 (en) * 2012-01-10 2013-07-11 International Business Machines Corporation Transmitting of configuration items within a network
US9172607B2 (en) * 2012-01-10 2015-10-27 International Business Machines Corporation Transmitting of configuration items within a network

Also Published As

Publication number Publication date
TWI253267B (en) 2006-04-11
TW200603590A (en) 2006-01-16

Similar Documents

Publication Publication Date Title
JP3343064B2 (en) Pseudo network adapter for capturing, encapsulating and encrypting frames
KR101055861B1 (en) Communication system, communication device, communication method and communication program for realizing it
US8984268B2 (en) Encrypted record transmission
Eggert et al. Unicast UDP usage guidelines for application designers
US7305546B1 (en) Splicing of TCP/UDP sessions in a firewalled network environment
EP1774438B1 (en) System and method for establishing a virtual private network
US6779033B1 (en) System and method for transacting a validated application session in a networked computing environment
US7890759B2 (en) Connection assistance apparatus and gateway apparatus
KR100943551B1 (en) Security protocols on incompatible transports
US8219679B2 (en) Detection and control of peer-to-peer communication
US10469530B2 (en) Communications methods, systems and apparatus for protecting against denial of service attacks
US8386783B2 (en) Communication apparatus and communication method
EP3414877B1 (en) Technique for transport protocol selection and setup of a connection between a client and a server
US20090144436A1 (en) Reverse network authentication for nonstandard threat profiles
KR101971995B1 (en) Method for decryping secure sockets layer for security
US20060010486A1 (en) Network security active detecting system and method thereof
Berbecaru et al. On the robustness of applications based on the SSL and TLS security protocols
US7860977B2 (en) Data communication system and method
JP4893279B2 (en) Communication apparatus and communication method
CA2661053C (en) Method for reactivation of a secure communication link
Hohendorf et al. Secure end-to-end transport over sctp
CN100435526C (en) Network safety dynamic detection system and method
JP2007150879A (en) Terminal device and information communication system
WO2021212204A1 (en) Methods and systems for processing information streams
CN115118713A (en) Data processing method and device and electronic equipment

Legal Events

Date Code Title Description
AS Assignment

Owner name: ICP ELECTRONICS INC., TAIWAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LU, CHIH-CHUNG;LIN, HE-REN;REEL/FRAME:015364/0452;SIGNING DATES FROM 20040301 TO 20040305

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION